Securely Managing Digital Assistants that Access Third-Party Applications

ABSTRACT

Systems herein allow a digital assistant to make requests to applications, such as third-party applications, that access data in an enterprise mobility management (“EMM”) system. The digital assistant can link to a portal application and receive a token that identifies a user. A remote application on a user device can establish a session with the portal application as part of a single sign on (“SSO”). The session can identify the same user. The portal application can then link the digital assistant to the remote application. When the digital assistant makes a request to the portal application, a notification can be pushed to the remote application. The user can confirm the request, establishing an authorized session during which time the digital assistant can make additional requests to the portal application. The portal application can service the requests by accessing third-party applications available through the portal application and authorized for access by the SSO.

BACKGROUND

Enterprise mobility management (“EMM”) systems have gained tremendouspopularity. They generally enable employees to use their own personalcomputing devices for work purposes, allowing enterprises to save moneyby purchasing fewer dedicated computing devices. Enterprises gainproductivity by implementing an EMM system because employees canconveniently perform work tasks from their own devices. In addition, themanagement features of EMM systems can prevent sensitive data fromleaving work applications, which are often managed by the EMM system.

The EMM system can grant the user access to third-party applications,such as email, by logging into the third-party application on behalf ofthe user. For example, the user can sign into the EMM system usingsingle sign on (“SSO”). Then, when the user attempts to open theircorporate email, the EMM system can log into the email application onbehalf of the user. This can allow the EMM system to control a user'saccess to corporate email and other third-party applications.

Another growing technology is that of digital assistants, such as SIRI,ALEXA, GOOGLE Assistant, and CORTANA. Users can speak a request, such asa question or command, to the digital assistant. The associated audio isparsed and a relevant service attempts to fulfill the request. Thedetected audio request can be turned into an API call to a third-partyserver, and the digital assistant can provide user credentials to log inand retrieve a result. For example, a user can say “ALEXA, play me asong from the Rolling Stones” and the digital assistant can contact aservice, supply user credentials, and retrieve an appropriate song.

However, digital assistants have not yet been successfully integratedwith enterprise applications. This is because EMM systems have not yethad a way to manage the security of digital assistants. The EMM systemoften does not directly control either the digital assistant or thethird-party service. Instead, the EMM system needs to act as anintermediary in order to retain control over the user's access toenterprise data. Integrating digital assistants while maintaining theEMM system as an intermediary has proven problematic. Normally, adigital assistant would store the access credentials for directlyaccessing a third-party application. But doing so would compromise theEMM system's control over enterprise data.

Likewise, the EMM system needs some way to verify that the person usingthe digital assistant is actually an enrolled user of the EMM system.For example, anyone near a digital assistant associated with the usercould say, “SIRI, open my email and read it.” If the digital assistantcould directly access the email, it could read sensitive information tosomeone other than the user without appropriate control and oversight bythe EMM system.

The security measures of an EMM system can also negate convenienceadvantages of a digital assistant. For example, if the user must loginto an application each time the digital assistant tries to carry out arequest, there would be little point in using a digital assistant. Themain reason to do so is the convenience of just talking to the device.If each request required the user to log in, digital assistants wouldnot be useful for accessing enterprise data in the third-partyapplications.

As a result, a need exists for managing access of third-partyapplications by digital assistants.

SUMMARY

An example system manages digital assistant access to third-partyapplications. A digital assistant can receive voice requests and fulfillthem by making requests to a linked service. A user can link a serviceto the digital assistant through use of an interface, such as a webbrowser, that allows access to an account associated with a digitalassistant. The account can allow the user to add services or skills tothe digital assistant, expanding the types of requests that the digitalassistant can attempt to fulfill.

In one example, the user can link the digital assistant to a portalapplication that is part of an enterprise mobility management (“EMM”)system. The portal application can execute as a web application or aninstalled application on a user device, such as a phone or tablet. Usingthe portal application, such as WORKSPACE ONE, the user can access oneor more third-party applications. The third-party applications can beemail or other enterprise applications, such as OUTLOOK or SALESFORCE.The portal application can store a user's credentials and provide theuser with access to any of the applications represented by the iconsdisplayed on the user device by authenticating the user to theapplications. For example, the portal application can use SSO to provideaccess to third-party applications. A user profile on a managementserver can specify which third-party applications are available to theuser. These third-party applications and other enterprise applicationscan be called first and second applications herein, and can be accessedthrough the portal application.

The request to link the digital assistant to the portal application canbe received by the backend server of the portal application. Forexample, linking the account of the digital assistant to the portalapplication can automatically direct the user to a webpage to thebackend server. The backend server can then prompt the user to login.Using a user device, the user can be authenticated at an identity serverthat can be separate from or part of the backend server. The identityserver can check the user's login credentials to make sure the user isenrolled in the EMM system.

After verifying the user, the identity server can return a token, suchas an OAuth token, to the backend server. This linking token canidentify the user associated with the digital assistant. The digitalassistant can store and use this linking token when making requests tothe portal application. This can allow the portal application toidentify the user expected to be associated with the digital assistant.

However, to ensure that an individual using the digital assistant is anenrolled user, an additional layer of authentication can be provided. Inone example, a remote application can execute on a user deviceassociated with the user. The remote application can allow the user toauthorize sessions or requests from the linked digital assistant. Theremote application can be installed on the user device or can be a webapplication accessed by the user device.

In one example, the remote application authenticates with the identityserver separately from the digital assistant. The remote application canauthenticate the user when the user logs into the portal application orthe EMM system. The remote application can use Security Assertion MarkupLanguage (“SAML”) or OAuth to authenticate itself with an identityserver as part of SSO in one example. When the user's identity isverified, the remote application can connect to the backend server. Inone example, the remote application can make an assertion, such as aSAML assertion at the backend server. The SAML assertion can containidentifying information that allows the backend server to identify theuser. Other assertions, such as tokens, are also possible. This canestablish a session between the remote application and the backendserver.

Using both the assertion and the linking token, the backend server candetermine that the same user is associated with both the digitalassistant and the remote application. This can allow the backend serverto link the digital assistant to the remote application. Using thislink, the backend server can ensure that the user at the remoteapplication approves of the digital assistant's requests.

When a user makes a request at the digital assistant that requiresaccess to a third-party application available at the portal application,the backend server can determine whether the user has authorized thedigital assistant to send requests through the portal application. Ifthe authorized session is not yet active, the backend server can push anotification to the remote application. The remote application candisplay a prompt for the user to validate the request of the digitalassistant. For example, the prompt can state, “Do you approve therequest made by your ALEXA?” The user can approve the request using theremote application. This can create an authenticated session token thatis valid for a period, such as ten minutes. The session token can bestored at the backend server. While the session token is valid, thebackend server can use the session token to access third-partyapplications on behalf of the digital assistant. The digital assistantcan make repeated requests within the time allotment without furthermanual verification from the remote application, in an example.

This process can allow an EMM system to provide the digital assistantwith managed access to the third-party applications. In one example, theuser does not need to individually log into the third-partyapplications. Instead, the identity server can maintain a library ofOAuth tokens and other credentials for logging the user into multipledifferent third-party applications. The authorized session can allow theportal application to provide access on behalf of the digital assistantbased on the other OAuth tokens stored by the identity server.

Access can be limited to particular third-party applications in oneexample. Users can have access to different applications based onprofiles stored at the management server. In one example, the user canindicate which third-party applications the digital assistant canaccess. This can allow a user to enable some of their enterpriseapplications for use with the digital assistant, but not others. In oneexample, the session token stored at the backend server can indicatewhich third-party applications are available to the digital assistant.In one example, the identity server can use these settings to determinewhich OAuth tokens to send to the backend server for accessing theapplications.

The management server, backend server, or remote application can alsorevoke access to one or more of the third-party applications. Forexample, an administrator can revoke user access to some or allapplications, such as when the user leaves the company. Additionally,the user can select which applications the digital assistant is allowedto access in an example. The selection can be a subset of the full suiteof applications available to the user through the portal application.

It is to be understood that both the foregoing general description andthe following detailed description are exemplary and explanatory onlyand are not restrictive of the examples, as claimed.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is an exemplary flow chart of steps performed in a system;

FIG. 2 is an exemplary flow chart of steps performed in a system;

FIG. 3 is an exemplary flow chart of steps performed in a system;

FIG. 4 is an exemplary flow chart of steps performed in a system;

FIG. 5A is an exemplary illustration of a graphical user interface;

FIG. 5B is an exemplary illustration of a graphical user interface;

FIG. 5C is an exemplary illustration of a graphical user interface;

FIG. 5D is an exemplary illustration of a graphical user interface; and

FIG. 6 is an exemplary illustration of system components.

DESCRIPTION OF THE EXAMPLES

Reference will now be made in detail to the present examples, includingexamples illustrated in the accompanying drawings. Wherever possible,the same reference numbers will be used throughout the drawings to referto the same or like parts.

An example system can allow a user's digital assistant to utilizethird-party applications that access enterprise data in an EMM system.In one example, both the digital assistant and third-party applicationcan be maintained separately from the EMM system, while still allowingthe EMM system to control transactions and maintain enterprise security.

A digital assistant can be any device that receives audio commands toaccess a service and return a result. Examples include SIRI, ALEXA,GOOGLE Assistant, and CORTANA. Alternatively, the digital assistant canpersist on a user device, such as a phone or tablet.

To access the third-party application, such as OUTLOOK, the digitalassistant can first link with a portal application. The portalapplication can serve as an access point for applications authorized foruse in the EMM system. The portal application can present differentapplications (including third-party applications) for the user,depending on the user's profile within the EMM system. The portalapplication can be a web application or can be installed on a userdevice. The portal application can require enrollment in the EMM systembefore the user can access some or all of the applications availablethrough the portal application.

In one example, the user can link their digital assistant to the portalapplication. The user can go to an account screen, such as by using abrowser on their user device, and direct the digital assistant to linkwith the portal application. The digital assistant or user device canconnect with the portal application by contacting a backend server witha link request. The portal application can then prompt the user tologin. Upon verifying the login, the backend server can return a token,such as an OAuth token, for use by the digital assistant in futurecommunications with the portal application. The OAuth token can includean encrypted user identifier in an example. The user identifier can be anumber, code, email address, or name of a user. This can allow thedigital assistant to identify itself as associated with the user.

As a second layer of authentication, the user can also log into the EMMsystem using a user device. The login can be part of an SSO process andrequire the user to be enrolled in the EMM system. An identity servercan authenticate the user and cause the user device to connect to thebackend server of the portal application.

In one example, the user device authenticates and connects to thebackend server by executing a remote application. The remote applicationcan establish a session with the portal application. To do this, theremote application can assert a user identifier, such as in a token orin a SAML assertion. The portal application can identify the same userfrom both the assertion and the OAuth token. This allows the backendserver of the portal application to associate the digital assistant withthe remote application at the user device.

When the digital assistant requests the portal application for access toa third-party application, the portal application can determine whetheran active session exists. If not, the remote application can prompt theuser at the user device to approve the request. Approval activates atimed session at the backend server. While the session is active, thedigital assistant can access some or all of the third-party applicationsthat the user can access as part of their SSO with the EMM system.

FIG. 1 includes exemplary stages performed by a backend server thatexecutes a portal application in an EMM system. At stage 110, thedigital assistant links with the portal application. To do this, a usercan navigate a graphical user interface (“GUI”) associated with thedigital assistant, such as a web interface. The web interface can beretrieved on a user device that is separate from the digital assistantin one example. Alternatively, the digital assistant can retrieve it.The GUI can include an option to link the digital assistant to one ormore applications or services. One such application or service can bethe portal application.

The portal application can be an application that provides varyinglevels of access to multiple other applications. These applications mayor may not be installed on the user device. Users enrolled in the EMMsystem can use the portal application, such as WORKSPACE ONE, to accessthird-party applications deployed as part of the EMM system. The portalapplication can give the user access to enterprise-related applications,including third-party applications such as OUTLOOK and SALESFORCE. Inone example, the portal application is a web application that a userdevice can access over a network, such as the Internet. Alternatively, aportal application can be installed on the user device.

When accessed by a user device, the portal application can displayapplication icons for any icons the user can access, or couldpotentially access, such as third-party applications. To access theapplications, the user device can first authenticate with the portalapplication. This can be an SSO authentication. The portal applicationcan then authenticate on the user's behalf at the other applications.The portal application or a separate identity server can storecredentials for logging the user into the various other applicationsaccessible through the portal application.

For the digital assistant to access a third-party application that isavailable through the portal application, a two-part authenticationprocess can take place. At stage 110, when the user selects an option tolink the digital assistant to the portal application, the GUI or digitalassistant can contact the backend server. If the digital assistant hasnot yet linked to the portal application, then it will not yet possess atoken to identify itself. As a result, the portal application can promptthe user to login.

The login can be verified by the backend server or a separate identityserver. When a user recognized by the EMM system logs in, the backendserver can send an OAuth token to the digital assistant. The OAuth tokencan include an encrypted user identifier. The backend server can decryptthe OAuth token and determine the user's identity.

However, a second authentication factor can be used to help ensure thatthe digital assistant is actually being used by the enrolled user,rather than by an unauthorized or unknown user. In one example, the userdevice can sign into the EMM system with SSO. The SSO can use SAML. Inone example, a remote application can contact the backend server oridentity server to log into the EMM system. The remote application canbe a web application or an installed application. The remote applicationcan also be part of an agent application that allows an EMM system tomanage some functionality of the user device. In one example, the remoteapplication requests an SSO service from the identity server. Aftervalidating the user device or user, the identity provider can respondwith an XHTML form, in one example. This can give the user device anaddress or other credential needed to make a SAML assertion to thebackend server.

At stage 120, the remote application of the user device can establish asession with the portal application. For example, the identity servercan make the SAML assertion to the backend server. This can authenticatethe remote application with the backend server and establish thesession. The session can allow the remote application and backend serverto send messages to one another over a network.

The SAML assertion can also identify the user. At stage 130, the backendserver can determine that the session is active and identifies the sameuser as the OAuth token presented from the digital assistant. This canallow the backend server to associate the remote application at the userdevice with the digital assistant.

At stage 140, the backend server can send a notification to the remoteapplication, indicating the portal application has received a requestfrom the digital assistant. For example, the digital assistant canrequest access to a third-party application that is available throughthe portal application. As an example, a user can say, “SIRI, open theportal app and read my email.” The digital assistant can make a requestto the portal application to open and return unread or recent emails. Ifthe request is authorized, the portal application can open thethird-party email application using credentials from the SSO. Therequest from the digital assistant can be an API call to the portalapplication in one example. The API call can cause the portalapplication to open the third-party email application, such as OUTLOOK,if the portal application determines the digital assistant is permittedto do so.

The backend server can check whether a session is active with the remoteapplication. If not, it can send a message back to the digital assistantthat can cause the digital assistant to tell the user to log into theEMM system. For example, the digital assistant can say “Please log intothe EMM system with your user device so I can send you a request.”

If the session is active between the backend server and remoteapplication, the backend server can send the notification to the remoteapplication at stage 140. The notification can appear on the screen ofthe user device. In one example, the notification can be a messagedisplayed by the remote application or the operating system (“OS”) ofthe computing device. For example, the notification can state, “Therehas been a request made by your SIRI. How would you like to proceed?”The remote application can present an option to authorize the request ordeny the request. The notification can also go to the digital assistant,in one example. This can allow the digital assistant to inform the userthat they need to authorize the digital assistant on their user device.

When the user chooses to confirm authorization, an authorization periodcan begin. During that period, the digital assistant can access one ormore applications available through the portal application, includingthe third-party application. For example, some or all of theapplications available to the user based on SSO at the portalapplication can be made available to the linked digital assistant, aswill be described later in more detail.

Based on the confirmation at the remote application, at stage 150 thedigital assistant can then access the third-party application. In oneexample, the backend server accesses the third-party application onbehalf of the user. The backend server (or an identity server) cansupply the credentials needed to access the third-party application. Thebackend server can receive the credential from the identity server in anexample. The identity server can log the user into applicationsassociated with the user's EMM profile as a background process. Upondoing so, the identity server can store the relevant tokens foraccessing the applications. The backend server can use these tokens toaccess the third-party application.

The third-party application can perform an action based on an API call.The backend server can make the API call, in an example. In general, theAPI call can be based on the user's speech request (including questionsand commands) to the digital assistant. The speech can be broken downinto a single intent and optionally one or more slots by the digitalassistant or a server that is dedicated to operating digital assistants.An intent indicates which service is responsible for handling the user'srequest. In this example, the service could be either the portalapplication or the third-party application. In either example, theintent can route the request to the portal application (i.e., backendserver).

The slots can be variables that inform what the service needs toprovide. For example, requesting unread email could yield differentslots than requesting the five most recent emails. These variables canresult in different searches, actions, or results from the portalapplication or third-party application.

In one example, using the intent and slots, the backend server can causeOUTLOOK can retrieve unread emails. The backend server can then forwardsome portion of those emails to the digital assistant for reading to theuser. The backend server can also forward some portion of those emailsfor display at the remote application, in an example.

FIG. 2 includes example stages performed by a remote application in anexample. The remote application can be installed at the user device aspart of enrollment in the EMM system in an example. Enrollment can allowthe EMM system, such as the backend server or other management server,to collect information from the user device. It can also allow the EMMsystem to install managed applications on the user device, such as theremote application. The remote application can be part of a managementagent in one example. If the OS on the user device does not already havethe needed EMM functionality built in, then a management agent can allowthe EMM system the requisite level of control over enterprise data andenterprise applications on the user device.

Alternatively, the remote application can be a web application. Forexample, a frontend of the portal application can execute in a webbrowser as the remote application at the user device.

At stage 210, the user device executes the remote application. This canoccur when then user device logs into the EMM system, opens the remoteapplication, or contacts the backend server through a web interface.

At stage 220, the remote application can begin a session with the portalapplication. This can occur when the remote application executes, whichcan require the user to sign into the EMM system. In one example, theremote application performs SSO at an identity provider, such as theidentity server. The remote application can use SAML, OAuth, or anotherauthentication method to authenticate itself with the identity serverand connect to the backend server. In one example, the identity serververifies the user's identity and returns an XHTML form that directs theremote application to connect to the backend server. In one example, theremote application can make a SAML assertion that reveals the identityof the user to the backend server.

Once connected to the backend server based on the credentials from theidentity server, the session begins and becomes active. The backendserver can maintain the session with the remote application. The backendserver can link the digital assistant and the remote application. Thisis because the SAML assertion from the remote application and the OAuth(or other) token from the digital assistant can both identify the sameuser. This link can allow for additional authentication of digitalassistant requests at the remote application.

At stage 230, the remote application can receive a notification from theportal application of a request by the digital assistant. The purpose ofthis notification can be to get the user to confirm or verify that thedigital assistant is authorized to access the applications provided bythe portal application. There are several reasons why this additionallayer of authentication is advantageous. As one example, the user mightnot actually be the one speaking their digital assistant. Instead, itcould be someone else in the room attempting to do so.

When backend server receives the request from the digital assistant, thebackend server can retrieve the user's identity from the OAuth token.For example, parameters in the OAuth token can be unique to the user,such as a tenant uniform resource locator in addition to an emailaddress. The OAuth token can be a JSON web token (“JWT”) encoded stringbased on user parameters. So when someone requests something from thedigital assistant, the request can reach the backend with the JWT token.The backend server can then decrypt the JWT token to reveal the identityof the user who is believed to be making the request.

The backend server can then check that this user has an active sessionbetween their remote application and the backend. If so, the backendthen pushes the notification to the remote application. If not, thebackend server can return a message to the digital assistant that causesthe digital assistant to prompt the user to execute the remoteapplication or log into the EMM system with their user device.

The notification of stage 230 can cause the remote application or OS ofthe user device to display a message to the user. The message can notifythe user that a digital assistant has made a request at the portalapplication.

At stage 240, the user can then confirm or deny the authorization of thedigital assistant's request. If the user confirms authorization, thebackend server can establish an authorization period or session in whichthe digital assistant can continue to make requests without furthermanual authorization at the remote application.

Additionally, the request can cause the portal application to access athird-party application. The available third-party applications can varybetween users. User profiles can dictate which third-party applicationsare available for which users. For example, a programmer can be assigneddifferent applications than a sales executive.

When the user signs into the portal application, a background servicecan log the user into a plurality of applications that access enterprisedata. The tokens or other credentials for these applications can bestored at the backend server or identity server. The portal applicationcan access and use these credentials to fulfill the request of thedigital assistant. For example, a request to “open the portalapplication and read email” can cause the portal application to log intoa third-party email application, such as OUTLOOK, using storedcredentials. Then the portal application can retrieve and return anemail from OUTLOOK to the digital assistant. In one example, this canallow an enterprise to authorize and control communications between athird-party digital assistant and a third-party application. Evenwithout ownership over the software of either side, the EMM system canmaintain control of its enterprise data.

In one example, the user can further select which applications availablethrough the portal application are available to the user's digitalassistant. For example, a GUI of the remote application or some otherapplication can display the various applications available to the useras part of SSO at the portal application. The user can then select whichof those applications to make available to their digital assistant. Theselected applications can be represented in a profile or an array ofbits that is stored at the backend server. For example, each potentiallyavailable application can be represented in the array of bits, with a“1” indicating an application can be accessed and a “0” indicating itcannot be accessed by the digital assistant.

Therefore, in one example, the backend server further determines whetherthe user has specified that the third-party application is accessible.If so, the backend server can carry out the request for the digitalassistant. Otherwise, the backend server can return a message to thedigital assistant, causing the digital assistant to notify the user toenable access to the third-party application.

FIG. 3 is another example method showing example stages performed by adigital assistant 310, remote application 320, backend server 330,identity server 335, and third-party application 340. At stage 352, theuser can link the digital assistant 310 to the backend server 330associated with the portal application. This can include logging into adigital assistant account to specify the link. In one example, theaccount is accessed in a web browser on a separate user device. Theaccount can include an option to link various services. The linkedservices can define which intents the digital assistant 310 can respondto and which services will carry out the requests. In one example, theportal application is a service that the user can link to their digitalassistant 310 in the account settings.

When the link is attempted at stage 352, the backend 330 can prompt theuser to authenticate themselves with the portal application at stage354. If the user has not already identified themselves in relation tothe digital assistant 310, the user can be prompted to authenticate atthe identity server 335. If the user enters a valid user ID, password,or other credential, the identity server 335 can return an OAuth tokenat stage 356. The token can be stored at the backend 330 and supplied tothe digital assistant 310 for future interactions with the backend. TheOAuth token can identify the user. It can be encrypted or the useridentifier(s) can be encrypted. In either example, the backend canextract information from the OAuth token that is used to identify theuser.

At stage 358, a remote application 320 can perform SSO with the identityserver 335. This can happen, for example, when the user device logs intoan EMM system or attempts to access the portal application. The identityserver 335 can return information that causes the remote application 320to contact the backend server 330.

At stage 360, this results in the remote application 320 establishing anactive session at the backend server. The remote application 320 canmake an SAML assertion at stage 361 when it contacts the backend server330. The SAML assertion can identify the user. The backend server 330can then associate the instance of the remote application 320 with thedigital assistant 310 based on both the digital assistant 310 and remoteapplication 320 identifying the same user to the backend server 330.This link between the remote application and the digital assistant canallow for another layer of authentication.

Meanwhile or afterwards, at stage 362 the identity server 335 or anotherservice can authenticate the user at multiple applications accessiblethrough the portal application as part of the user's SSO. In oneexample, the backend server 330 or some other management servermaintains user profiles that specify which applications and repositoriesthe user can access within the EMM system. The identity server 335 orbackend server 330 can retrieve and store credentials on the user'sbehalf for accessing these permitted applications and repositories.

In one example, the available applications and repositories can be basedon a group to which the user belongs within the enterprise. For example,programmers might have access to a different suite of applications thansales employees. The user's group can be indicated by the user profilein an example.

As part of the authentication at stage 362, the service can authenticatethe user with the third-party application 340. In response, the identityserver 335 can send tokens or other credentials to the backend server330 at stage 364. The credentials can be used to access the third-partyapplication 340, in an example. This can prevent the need for thedigital assistant 310 or user device to reenter credentials once fullycredentialed at the portal application.

With the digital assistant 310 linked to the remote application 320 atthe backend server 330, the system is setup to allow the user to confirmor deny the digital assistant's 310 requests to use the portalapplication.

At stage 366, the user can speak to the digital assistant and make arequest. For example, the request could be “open the portal applicationand read my new email.” At stage 368, a service running at the digitalassistant 310 or at a server can parse the audio. The audio is parsedinto an intent and at least one slot. The intent can indicate whichservice to contact, whereas the slots can indicate which functions orvariables to provide to the service. In this example, the intentindicates the portal application should be contacted. As a result, atstage 368, the digital assistant sends a request to the backend server330.

The request of stage 368 can include intent(s) and slot(s), and can besent with the OAuth token received at stage 356. This allows the backendserver 330 to determine the user that should be associated with therequest from the digital assistant 310.

At stage 370, the backend server 330 determines whether that user alsohas an active session between their remote application 320 and thebackend server 330. If not, the backend server 330 returns a message tothe digital assistant, causing it to tell the user to sign into the EMMsystem or execute the remote application.

Conversely, if the session is active, the backend server 330 pushes anotification to the remote application 320 at stage 372. Thenotification can cause the remote application 320 to prompt the user atstage 374. The prompt can notify the user that the digital assistant hassent a request to the portal application. The prompt can further ask theuser to confirm whether to allow the request.

At stage 376, the user can confirm the digital assistant 310 isauthorized to make the request. If confirmed, an authorization sessioncan begin at the backend server 330, allowing the digital assistant 310to continue making requests without requiring further confirmation for aperiod. For example, the authorization session can be set to last for 10minutes.

At stage 378, a user or administrator can select which applications thedigital assistant 310 can or cannot access. For example, even though theuser's profile can specify ten different applications are available tothe user through the portal application, the user can specify which ofthose should be accessible to the digital assistant 310. Likewise, ifthe enterprise deems some applications too sensitive for audio deliveryby a digital assistant 310, the user profile can restrict the digitalassistant from accessing them. For example, applications that accessinvoicing, tax information, HR information, or for viewing legallyprotected information can be flagged as inaccessible in a user profile.In some cases, accessibility by digital assistants can be defined basedon user groups. For example, an executive user group might be allowed touse their digital assistants with sensitive data or applications whereasa sales user group can be restricted from similar usage.

To allow the backend server 330 to discern which applications areavailable to the digital assistant 310, the backend server 330 can storean array of bits associated with the user. Each bit can be a zero or oneand represent whether or not an application is accessible to the digitalassistant 310. As an example, if ten applications are available to theuser in the portal application, the array of bits can be ten digitslong. Each digit can represent one of the applications. If second digitis a one, this indicates that the second application is available forrequests from the digital assistant 310. If the second digit is a zero,the second application is unavailable to the digital assistant 310.

Therefore, at stage 380, the backend server 330 can further checkwhether the third-party application 340 is available to the digitalassistant 310. If it is, then at stage 382 the backend server 330 canforward the request to the third-party application 340. The request canbe accompanied with a token stored as part of stage 364. The request canalso be formatted as an API call to the third-party application 340. TheAPI call can be formatted based on the intent and slots determined atstages 366 and 368.

At stage 384, the third-party application 340 can return a result to thebackend server 330 or digital assistant 310. At stage 386, the digitalassistant reads the result to the user. This can include reading thetext of an email or explaining what it has retrieved

In one example, the remote application 320 allows the user to revoke theauthorization session at stage 388. For example, even though the digitalassistant's authorized session might have several more minutesremaining, the user can cut the session short. This can be useful, forexample, if the user is leaving the digital assistant 310. By revokingthe session, the digital assistant 310 will be blocked from accessingthe portal application or the third-party application 340 until anotherauthorized session is established.

In one example, the remote application 320 includes a GUI option torevoke the session. The user can simply revoke the session by selectingthe option. In another example, the session is revoked when the userdevice (executing the remote application) moves outside of a geofencedarea. The user can set up a geofence around the digital assistant 310 inone example. This can allow the remote application 320 to automaticallyrevoke the session based on the user device leaving a geofenced area ofthe digital assistant 310. Revoking the session can cause the backendserver 330 to delete the bits indicating which applications can beaccessed, in an example.

FIG. 4 is another example flowchart that shows stages performed by thedigital assistant 310, remote application 320 of the user device, andportal application. At stage 410, the user can sign into an account forthe digital assistant 310. For example, the user can open an applicationor website to access the account. From within the account, the user canlink the digital assistant 310 to various backend services, includingthe portal application. In one example, the linking can be referred toas adding a skill to the digital assistant 310. At stage 415, the usercan add the portal application as a skill to the digital assistant 310.

At stage 420, to complete the linking, the user can be prompted to loginto the portal application. The user can supply their password or atoken recognized by the EMM system. This can allow an identity service,such as the identity server 335, to verify and authenticate the user. Atstage 425, the identity service can return an OAuth token to the backendserver 330 of the portal application. The backend server 330 can storethe OAuth token and provide a copy to the digital assistant for use infuture communications with the portal application. In one example, thebackend server 330 supplies the OAuth token to a digital assistantserver that contacted the portal application to establish the linking.For the purposes of this disclosure, that is one way the OAuth token canbe supplied to the digital assistant 310.

At stage 430, the user can perform SSO to log into the EMM system. Thiscan be done prior to or after the linking of stages 410 through 425. Theremote application can load on the user device and contact the portalapplication as part of the SSO. This can establish a session between theportal application and the remote application 320.

At stage 440, bit values can be provided to the portal application(e.g., backend server 330) to define which applications are available tothe user's digital assistant 310. In one example, the user can selectwhich applications are available at the remote application 320. The usercan select a subset of applications that are available to the userthrough the portal application. The applications available to the usethrough the portal application can be based on a profile stored at themanagement server or backend server 330. In another example, the profilecan also dictate which of the applications are available for requestsfrom the digital assistant 310. This can allow an administrator of theEMM system to restrict some applications from being used by the digitalassistant 310.

At stage 440, the identity service can provide tokens or othercredentials to the portal application. These be credentials can allowaccess to applications available through the portal application. Forexample, as part of SSO, a background service can log into the variousapplications associated with the user's profile. Each application canreturn an OAuth token or other credential for future communicationswithout further login (while the token or session is active). Thecredentials can be stored at the identity server 335 or backend server330 for use by the portal application.

At stage 445, the portal application can receive a request from thelinked digital assistant 310. The portal application can match userinformation from the OAuth token (from the digital assistant 310) touser information from the remote application 320 session. For example,the remote application 320 session can be established with a SAMLassertion that contains user information. The user information can beany information used to uniquely identify a user. Example userinformation can include domain information, an email address, or a useridentifier for looking up a user's identity in the EMM system. Theportal application can establish the link between an active session andthe user associated with the digital assistant 310 either before orafter receiving the request. If no session exists, then the portalapplication can return a message to the digital assistant 310 to promptthe user to establish a session before any requests can be fulfilled.

At stage 450, the portal application can notify the remote application320 of the request. The notification can display on the user device. Forexample, a prompt can notify the user that the digital assistant 310 isattempting to access the portal application, and provide the user withbuttons to allow or deny. If the user allows the activity, then anauthentication session is established. The session can be timed. Whileactive, the authentication session can permit the portal application tohandle requests from the digital assistant 310 without furtherpermission from the remote application.

At stage 455, the portal application or digital assistant 310 can sendthe request to the third-party application 340. In one example, theportal application determines an API call based on the intent or slotsreceived as part of the request from the digital assistant 310. Theportal application can then make the API call to the correct service,such as third-party application 340. The API call can be accompaniedwith a credential collected at stage 440.

Alternatively, the portal application can return an address and acredential to the digital assistant 310. This can allow the digitalassistant 310 to communicate with the third-party application 340.

At stage 460, the third-party application 340 can fulfill the request.This can include performing a query or action and returning a result,which can include enterprise data. If the third-party application 340 isan email application, the result can include portions of one or moreemails. The third-party application 340 could alternatively be a cloudstorage provider, and the result could be retrieving a file that matchesa description provided by a user.

In one example, the result is displayed in the remote application 320.Because the remote application 320 is linked to the digital assistant310, the backend server can provide information to both the digitalassistant 310 and the user device. For example, if the result includes afile, a link to the file can be presented at the remote application 320.This can allow the user to simply speak to the digital assistant 310 toeasily retrieve a file or email, but do work on the file or email at theuser device.

FIGS. 5A-5D include example GUI screens displayed on a user device. Whena user attempts to link the digital assistant 310 to the portalapplication, they can be presented with a login screen 510 of FIG. 5A.The login screen 510 can allow the user to enter a user name andpassword 516, in an example. The user can also select a domain 514 whenmultiple domains exist for the tenant at the portal application. Thenthe user can select an option 512 to sign in.

After the user has connected to the EMM system, they can be notified atthe user device of a request by the digital assistant 310 to access theportal application. FIG. 5B shows an example notification screen 520that can be displayed on the user device. The notification can include amessage 522 that alerts the user that a digital assistant 310 has made arequest to the portal application. If the user caused the digitalassistant 310 to make the request, then they can approve the request byselecting the approve option 524. Otherwise, they can select a rejectoption 526 to reject the request.

If the request is approved, the remote application 320 can establish anauthorization session with the backend server 330. The digital assistant310 can make requests without further authorization from the remoteapplication 320 while that session is active.

The remote application 320 can present additional options for managingdigital assistant 310 sessions. In one example, the user can select asessions option 528 to view active sessions. This can also allow a userto select and terminate a session, in an example.

The user can further select an application option 530 for selectingwhich applications the digital assistant 310 can access through theportal application. In one example, the GUI can list all of theapplications available to the user through the portal application. Theuser can then select which applications the digital assistant 310 can orcannot access. When the selections are saved, an array of bits can beupdated at the backend server 330 to control which of the applicationsthe digital assistant 310 can access. If the digital assistant 310 makesa request that needs to be handled by an inaccessible third-partyapplication 340, the portal application can prompt the user at theremote application 320 to enable that access to the third-partyapplication 340.

The remote application 320 can also include an option to log out 532.This can allow the user to end the session between the remoteapplication 320 and the backend server 330.

Turning to FIG. 5C, when the authorization session begins, the remoteapplication 320 can display a screen 540. This screen can indicate thetime left 542 in the authorized session. During this time, the digitalassistant 310 can continue to make requests to the portal application.However, the user can also end the session early by choosing an option544 to revoke the session. This option 544 can cause the backend server330 to again notify the remote application 320 of any additional requestby the digital assistant 310, again requiring user confirmation beforefulfilling the request.

FIG. 5D shows an example screen 550 for enabling particular applicationsfor use with the digital assistant 310. In one example, the portalapplication does not log into every possible application on the user'sbehalf until the user instructs the portal application to do so.Therefore, in an application screen, such as a screen presented based onapplication option 530, the user can scroll through and authorizeparticular applications available through the portal application. Inthis example, the user can select an option 552 to authenticate withthird-party application 340 OFFICE 365. This can cause the backendserver 330 or identity service to log into OFFICE 365 based oncredentials stored by the identity service.

In one example, a separate option 554 can allow the user to authorizethe digital assistant 310 to access the third-party application 340.Prior to authorization, the backend server 330 can block access from thedigital assistant 310 to the third-party application 340 even if anauthorization session exists. This option can be combined with theauthentication option 552 in another example.

Another option 556 can allow the user to use the third-party application356 from their user device. In one example, actions performed based onrequests from the digital assistant 310 can update in real time the GUIbeing displayed on the user device. As an example, if a user says,“CORTANA, open the portal and delete the most recent email from Mark,”the email interface on the user device can update to show the emailbeing deleted.

FIG. 6 is an illustration of example components of a system 600. Thedigital assistant 310 can be a computing device having a processor thatreceives and interprets audio commands. It can be a stand-alone deviceseparate from the user device 620. It can alternatively also be a phone,tablet, laptop, or other processor-based device that executes softwarefor listening and performing tasks.

When the digital assistant 310 receives an audio request, it can parsethe audio into intents and slots 610. This can be done at the digitalassistant 310 or at a server that the digital assistant 310 contacts.The intent can dictate which service the digital assistant contacts tofulfill the request. In this example, the intent can indicate that thebackend server 330 of the portal application 630 should be contacted.

The backend server 330 can be one or more servers that execute portionsof the portal application 630. The backend server 330 can also storebits 634 to indicate which applications 650 are accessible by thedigital assistant 310 when a session is active.

In this example, the digital assistant 310 can send an intent and slots610 to the backend server 330 as part of a request. The request can beaccompanied with an OAuth token received as part of linking the digitalassistant 310 to the portal application 630. The OAuth token canidentify the user. The OAuth token can be generated by the identityserver 335, in an example. The identity server 335 can be part of thebackend server 330 or can be one or more separate servers. The identityserver 335 can handle user authentication, in one example.

The user device 620 can be any processor-based device, such as a phone,laptop, tablet, or personal computer. The user device 620 can enroll inthe EMM system at the backend server 330 or a separate management server(not pictured). Enrollment can allow the EMM system to configure aprofile for the user. The profile can dictate which applications 650 areavailable to the user through the portal application 630.

In one example, the remote application 320 is installed on the userdevice 620 as part of enrollment. The remote application 320 can be partof a management agent that allows the backend server 330 or managementserver to control enterprise-related functionality on the user device620. Alternatively, the remote application 320 can be a web applicationthat the user accesses with an internet browser. In one example, duringenrollment, the user can receive a login or other credentials needed toaccess the portal application 630.

The remote application 320 can authenticate the user device 620 with theEMM system by authenticating with the identity server 335, in anexample. This authentication can be part of SSO. When the userauthenticates, the identity server 335 can direct the remote application320 to connect to the backend server 330, in an example. This can causethe user device 620 to make a SAML assertion that identifies the user tothe backend server 330 and starts a session with the backend server 330.

When the SAML assertion and OAuth token both identify the same user, thebackend server 330 can link the digital assistant 310 to the remoteapplication 320 of the user device 620. This can allow the backendserver 330 to verify with the user at the user device 620 beforeauthorizing a session for the digital assistant 310 at the portalapplication 630.

The identity server 335 can maintain a credential library 635 forlogging the user into the applications 650, including third-partyapplication 340. This can be used as part of SSO. Once the identityserver 335 has authenticated the user, the identity server can supplythe appropriate stored credentials, such as user names, passwords, ortokens, to log into the various third-party applications 340, 650. Thiscan also prevent the digital assistant 310 from having to individuallylog into each application 650 in an example.

In one example, the third-party application 340 can be an emailapplication that accesses enterprise email 640. The email 640 can bereturned to the backend server 330, which in turn can send some or allof the email 640 to the digital assistant 310 for reading to the user.In one example, only the necessary text, such as the subject and body,of the email 640 is returned to the digital assistant 310. Based onvoice requests at the digital assistant 310, the backend server 330 canalso return results to the remote application 320. This can allow theremote application 320 to visually display results as they are beingdescribed by the digital assistant 310.

In one example, the backend server 330 can cause the remote application320 to perform functions based on the digital assistant 310 request. Forexample, the remote application can open the third-party application 340and display email 640 that was requested by the digital assistant 310,in an example. The backend server 330 can communicate with the userdevice 620 through push notifications and instructions to the remoteapplication 320 based on the active session.

In an alternate example, the digital assistant 310 can be part of theremote application 320. In that example, the remote application 320 canhandle the voice functions of the digital assistant 310 while alsoallowing the user to validate the remote application 320 session withthe portal application.

Other components of FIG. 6 can also be combined in other examples. Inaddition to building the digital assistant 310 into the remoteapplication 320, the identity server 335 can be built into the backendserver 330. Similarly, the intent and slots 610 functionality can bebuilt into the backend server 330 in an example. This can allow thebackend server 330 to directly determine appropriate API calls. The APIcalls can be specific to the applications 650 implicated by a request.By bypassing a separate digital assistant 310 server, the security ofthe process can increase, in an example.

Other examples of the disclosure will be apparent to those skilled inthe art from consideration of the specification and practice of theexamples disclosed herein. The examples are not limited to an enterpriseenvironment, and may be applied at educational facilities or otherenvironments. The third party app need not be a third party app. Forexample, a company could put the whole system together within their ownecosystem.

Though some of the described methods have been presented as a series ofsteps, it should be appreciated that one or more steps can occursimultaneously, in an overlapping fashion, or in a different order. Theorder of steps presented is only illustrative of the possibilities andthose steps can be executed or performed in any suitable fashion.Moreover, the various features of the examples described here are notmutually exclusive. Rather any feature of any example described here canbe incorporated into any other suitable example. It is intended that thespecification and examples be considered as exemplary only, with a truescope and spirit of the disclosure being indicated by the followingclaims.

What is claimed is:
 1. A method for authorizing access from a digitalassistant to a first application comprising: receiving, at a backendserver, a request to link the digital assistant to a portal applicationthat provides access to applications, including the first application,as part of an enterprise mobility management (“EMM”) system; storing, atthe backend server, a linking token that is created, at least in part,by validating an identity of a user enrolled in the EMM system;receiving an assertion from a remote application, the assertionidentifying the same user as the linking token; receiving an accessrequest from the digital assistant; notifying the remote application ofthe access request; and based on user confirmation at the remoteapplication, establishing an authenticated session that allows thedigital assistant access to the first application.
 2. The method ofclaim 1, wherein the linking token is an OAuth token and the assertionis a Security Assertion Markup Language (“SAML”) assertion.
 3. Themethod of claim 1, further comprising performing single sign on (“SSO”)based on credentials from the remote application, wherein the assertionis received from the remote application during SSO.
 4. The method ofclaim 1, wherein the backend server stores information indicating whichapplications the digital assistant can access.
 5. The method of claim 1,wherein an identity server stores credentials used to access theapplications as part of a single sign on (“SSO”), wherein the firstapplication is a third-party application.
 6. The method of claim 5,wherein the authenticated session allows the backend server to sendadditional requests from the digital assistant to the applicationswithout further input from the user.
 7. The method of claim 1, furthercomprising: receiving a revocation from the remote application; and inresponse, invalidating the authenticated session, wherein invalidatingthe authenticated session causes the backend server to deny a subsequentaccess request from the digital assistant.
 8. A non-transitory,computer-readable medium containing instructions executed by at leastone processor to perform stages for authorizing access from a digitalassistant to a first application, the stages comprising: receiving, at abackend server, a request to link the digital assistant to a portalapplication that provides access to applications including the firstapplication as part of an enterprise mobility management (“EMM”) system;storing, at the backend server, a linking token that is created, atleast in part, by validating an identity of a user enrolled in the EMMsystem; receiving an assertion from a remote application, the assertionidentifying the same user as the linking token; receiving an accessrequest from the digital assistant; notifying the remote application ofthe access request; and based on user confirmation at the remoteapplication, establishing an authenticated session that allows thedigital assistant access to the first application.
 9. Thenon-transitory, computer-readable medium of claim 8, wherein the linkingtoken is an OAuth token and the assertion is a Security Assertion MarkupLanguage (“SAML”) assertion.
 10. The non-transitory, computer-readablemedium of claim 8, the stages further comprising performing single signon (“SSO”) based on credentials from the remote application, wherein theassertion is received from the remote application during SSO.
 11. Thenon-transitory, computer-readable medium of claim 8, wherein the backendserver stores information indicating which applications the digitalassistant can access.
 12. The non-transitory, computer-readable mediumof claim 8, wherein an identity server stores credentials used to accessthe applications as part of a single sign on (“SSO”), wherein the firstapplication is a third-party application.
 13. The non-transitory,computer-readable medium of claim 12, wherein the authenticated sessionallows the backend server to send additional requests from the digitalassistant to the applications without further input from the user. 14.The non-transitory, computer-readable medium of claim 8, the stagesfurther comprising: receiving a revocation from the remote application;and in response, invalidating the authenticated session, whereininvalidating the authenticated session causes the backend server to denya subsequent access request from the digital assistant.
 15. A system forauthorizing access from a digital assistant to a first application,comprising: a non-transitory, computer-readable medium containinginstructions; a processor that executes the instructions to performstages comprising: receiving, at a backend server, a request to link thedigital assistant to a portal application that provides access toapplications including the first application as part of an enterprisemobility management (“EMM”) system; storing, at the backend server, alinking token that is created, at least in part, by validating anidentity of a user enrolled in the EMM system; receiving an assertionfrom a remote application, the assertion identifying the same user asthe linking token; receiving an access request from the digitalassistant; notifying the remote application of the access request; andbased on user confirmation at the remote application, establishing anauthenticated session that allows the digital assistant access to thefirst application.
 16. The system of claim 15, wherein the linking tokenis an OAuth token and the assertion is a Security Assertion MarkupLanguage (“SAML”) assertion.
 17. The system of claim 15, the stagesfurther comprising performing single sign on (“SSO”) based oncredentials from the remote application, wherein the assertion isreceived from the remote application during SSO.
 18. The system of claim15, wherein the backend server stores information indicating whichapplications the digital assistant can access.
 19. The system of claim15, wherein an identity server stores credentials used to access theapplications as part of a single sign on (“SSO”), wherein the firstapplication is a third-party application.
 20. The system of claim 15,the stages further comprising: receiving a revocation from the remoteapplication; and in response, invalidating the authenticated session,wherein invalidating the authenticated session causes the backend serverto deny a subsequent access request from the digital assistant.